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I pick  the  Cisco  7609  router,  a higher  end  MPLS  model  that  is  compatible  of  a lot 
of  bandwidth  and  functions.  Cisco  is  the  industry’s  only  edge  router  that  delivers 
high  performance  MPLS  features  for  enterprise  WAN/MAN  networks.  I do  the  high 
performance  of  720  Gbps  in  signal  chassis  or  40  Gbps  capacity  per  slot.  Cisco  7609 
has  256  Gbps  of  total  throughput  due  to  a hardware  accelerated  network  processor 
for  IP  services.  (Cisco,  PDF,  2008) 

I will  explain  optimality,  robustness,  reliability,  overhead,  rapid  convergence  via 
routing  algorithms  in  the  following  three  paragraphs.  The  Cisco  7609  has  optimality, 
because  it  has  MPLS  which  has  the  Path  First  CSPF  algorithm.  The  Cisco  7609  has 
simplicity  and  low  overhead,  because  it  has  MPLS  which  has  less  overhead  than 
ATM  and  Frame  Relay.  It  has  label  path  is  unidirectional  so  that  means  it  will. 
Constraint-based  Routing  Label  Distribution  Protocol  and  RSVP-TE  (resource 
reservation  protocol  - traffic  engineering),  will  work.  MPLS  stack  is  30-bit  including 
a 20-bit  label  value,  3-bit  Traffic  Class  field,  1-bit  bottom  of  the  stack,  and  8-bit 
Time  to  Live  (TTL)  field.  The  Cisco  7609  is  Robustness  and  stability  more  so  than 
non-MPLS  routers,  because  the  Quality  over  service  is  near  SONET  in  reliability. 
That  is  ATM  over  Fiber  Optic.  Its  traffic  engineering  and  social  engineering 
framework  is  lot  better  than  protection  rings  of  SONET.  As  far  as  rapid 
convergence,  there  is  AToM  which  will  allow  transport  over  Frame  Relay,  PPP, 
HDLC,  Ethernet,  and  802.  IQ.  MPLS  is  also  flexible  with  AToM.  (Cisco,  2009) 
(Accessmylibrary,  2008)  (MPLS  Fundamentals,  PDF,  2006) 


MPLS  has  a switching  algorithm  called  Enhanced  variable  splitting  ratio 
algorithm  and  it  is  able  to  do  traffic  management  and  control  which  will  have  multi- 
service traffic  over  an  IP  infrastructure,  because  technicians  had  to  deal  with  cross 
traffic.  For  static  version,  the  traffic  matrix  takes  over.  One  of  the  dynamic  balancing 
algorithms  is  MPLS  Adaptive  Traffic  Engineering.  (Cisco,  2009) 

Cisco  7609  has  multipath  algorithms  making  it  more  reliable  than  single  path 
algorithms  The  Cisco  7609  is  router  intelligent,  because  it  runs  a firmware.  It  has  a 
hierarchical  routing  system  that  will  revert  data  from  any  non-backbone  Cisco  7600 
series  to  a backbone  router.  (Cisco,  2009) 

Cisco  7609  has  a Distance  Vector  Multicast  Routing  Protocol,  a successor  to  RIPv2. 
This  router  has  other  network  layer  abilities.  Enhanced  Interior  Gateway  routing 
Protocol  is  an  enhancement  for  DVMRP.  The  network  layer  does  Wire  speed  IP, 
multicast  and  IPX,  forwarding  information  base,  support  for  up  to  64K  of  entries  of 
IP  network  prefixes,  both  unicast  and  multicast.  MPLS  only  does  unicast  and  needs 
two  paths  to  route  traffic  both  ways.  Layer  3 routing  protocols  include  static  IP 
routing,  Protocol  Independent  Protocol,  Enhanced  Interior  Gateway  routing  Protocol 
(EIGRP),  Open  Shortest  Path  First  (OSPF)  and  Routing  Information  Protocol  v2. 
Layer  3 related  protocols  include  IGMP  v2,  IGMP  snooping,  Gateway  discovery 
protocol.  Some  advanced  features  of  the  Cisco  7600  series  is  Integrated  Routing  and 
Bridging  (IRB),  Standard  Domain  Naming  System,  and  DHCP  relay.  (Cisco,  2009) 
(Wikipedia,  2009)  Accessmylibrary,  2008) 


A LSR  that  doesn’t  have  a label  is  called  an  imposing  LSR.  LSRs  have  three 
operations  including  pop,  push  and  swap.  Ingress  LSRs  will  receive  an  unlabeled 
packet  and  insert  a label.  Egress  LSRs  remove  labels.  Intermediate  LSRs  would 
perform  a special  operation  to  the  packet  than  switch  the  packet  before  sending  it. 
(MPLS  Lundamentals,  2006) 

At  a datalink  layer  it  has  a MAC  address.  At  a physical  layer,  the  router  can  use  10 
Gbit  CAT6a  cable  strait-through  cable,  CAT6a  roll-over  cable  for  between  routers, 
RJ-45-DB-9  connectors  or  RJ-45  to  DB-25  connector.  (CCNA,  pg  202,  2004) 

To  connect  to  a router  from  an  operating  system,  you  can  use  terminal  programs 
such  as  Hyper  Terminal,  MicroPhone  Pro,  ProComm  Plus,  Telix,  Teraterm,  and 
Terminal  on  MS-DOS/Windows.  Lor  Sun  Microsystems,  there  is  Kermit.  Lor  Linux 
and  Mac,  there  is  /-terminal.  (CCNA,  pg  204,  2004) 

The  Cisco  IOS  also  has  a System  Configuration  Dialog  which  will  guide  the 
administrator  through  the  configuration  of  the  router.  The  Router  will  run  a startup 
process  when  the  System  Configuration  Dialog  is  completed.  (CCNA,  pg  205,  2004) 

In  the  user  interface,  there  will  be  a > symbol  and  default  router  name  is  router>. 
By  default,  the  router  is  in  user  EXEC  mode.  The  user  may  check  the  status  of  it  and 
have  access  to  many  router  settings.  In  privileged  exec  mode  (also  enable  mode),  you 
can  do  a setup,  copy  and  erase  commands.  There  are  many  commands  listed  below. 
(CCNA,  pg  206,  2004) 


ctclcl 

Authentication,  authorization  and  accounting 

Access  list 

Add  an  access  list  entry 

Alias 


Create  command  alias 


Arp 

Set  a static  ARP  entry 

Async-bootp 

Modify  system  bootp  parameters 

Banner 

Define  login  banner 

Bot 

Modify  system  boot  parameters 

Bridge 

Brudge  group 

Buffers 

Adjust  system  buffer  pool  parameters 

Busy-message 

Display  message  when  connection  to  host  fails 

Cdp 

Global  CDP  configuration  subcommands 

Chat- script 

Define  a mode  chart  script 

Clock 

Configure  time  of  day  clock 

Configregiser 

Define  the  configuration  register 

Default  value 

Default  character-bit  values 

Dialer-list 

Create  a dialer  list  entry 

Dnsix-dmdp 

Provide  DMDP  service  for  DNSIX 

Dnsix-nat 

Provide  DNSIX  service  for  audit  trails 

Downword- 

Generate  a configuration  compatible  with  older 

compatible- 

software 

config 

Enable 

Modify  enable  password  parameters 

End 

Exit  from  Configuration  mode 

Exit 

Exit  from  Configuration  mode 

Frame  Relay 

Global  frame  relay  configuration  commands 

Help 

Description  of  the  interactive  help  command 

Hostname 

Set  systems  network  name 

Interface 

Select  an  interface  to  configure 

IP 

Global  IP  configuration  commands 

IPX 

Novell/IPX  global  configuration  command 

Key 

Key  management 

Line 

Configure  a terminal  line 

Logging 

Modify  message  logging  facilities 

Login-string 

Define  a host-specific  login  string 

Map-class 

Configure  static  map  class 

Cmap-list 

Configure  static  map  list 

Menu 

Define  a use-interface  menu 

Modemcap 

Modem  capabilities  database 

Netbios 

NETBIOS  access  control  filtering 

No 

Negrate  a command 

NTP 

Configure  NTP 

Partition 

Partition  device 

Priority-list 

Build  one 

Privilege 

Command  privilege  parameters 

Prompt 

Set  system’s  prompt 

Queue-list 

Build  a custom  queue-list 

Resume- string 

Define  a host-specific  resume  string 

rlogin 

Rlogin  configuration  commands 

Rmon 

Remote  monitoring 

Route-map 

Create  route-name 

Router 

Enable  a routing  process 

Scheduler 

Scheduler  prarameters 

Service 

Modify  use  of  network  based  services 

Snmp-server 

Modify  SNMP  parameters 

State-machine 

Define  a TCP  dispatch  state  machine 

Tacas-server 

Modify  a TACAS  query  parameters 

Terminal-queue 

Terminal  Queue  commands 

TFTP  server 

Provide  TFTP  services 

Username 

Establish  user  name  Authentication 

X25 

x.25  level  3 

There  are  configuration  modes  including  USER  EXEC,  Privileged  EXEC,  global 
configuration,  interface  configuration,  line  configuration  and  router  configuration. 
USER  EXEC  will  show  the  statics  of  the  router  and  manage  connections.  Privilege 
EXEC  can  manage  connections  and  copy,  erase,  setup  and  show  router  settings. 
Global  configuration  will  allow  the  administrator  to  configure  clock,  host  name, 
enable  password  and  enable  secret  password.  Interface  configuration  will  configure 
IP  for  interfaces  and  other  settings.  Line  configuration  will  configure  console,  virtual 
terminal  or  auxiliary.  Finally,  router  configuration  configures  routing  protocols. 
(CCNA,  pg  209,  2004) 

The  enable  password  is  an  unencrypted  and  used  when  enable  secret  password 
isn’t  on  there.  Enable  Secret  password  has  the  MD5  128-bit  encryption  algorithm. 
Console  password  protects  the  console  by  prompting  a password  before  console 
access.  The  AUX  line  password  will  prompt  someone  who  tries  to  access  it  by  a 
modem.  The  virtual  terminal  identifies  all  telnet  sessions  via  inputting  VTY  0 4 into 
the  terminal.  A line  password  is  mandatory  to  prevent  a breach  of  the  router.  The 


Administrator  can  put  a level  on  the  password  so  it  can  be  organized  like  a hierarchy. 
For  example  type,  enable  secret  password  level  15  ccnaflx.  (CCNA,  pp  210-211, 
213,220,  2004) 

The  following  paragraph  will  show  how  to  add  security  levels  to  a router  in  the 
command  line  interface.  First,  an  administrator  should  enable  AAA  on  the  IOS 
firmware  terminal.  Step  2 is  to  enable  the  root  view  available  to  an  administrator  at 
level  15  by  using  the  enable  secret  password.  Thirdly  use  a parser  view  name 
command  to  do  a new  view.  Fifty  I would  create  a password  (typing  “Secret  0”)  to 
set  a password  required  to  view.  This  password  isn’t  encrypted.  Sixth,  the 
administrator  should  use  the  enable  view  name  command  to  switch  to  the  view  that 
was  created  in  the  3rd  step.  In  the  next  paragraph  I will  explain  how  to  protect  router 
fdes.  (TechTarget,  2008) 

To  protect  the  router’s  IOS  firmware,  you  need  to  configure  the  Cisco  IOS  Resilient 
Configuration.  First,  enable  image  resilience.  Second,  secure  the  boot  configuration. 
Finally,  confirm  that  bootset  has  been  secure.  Fourth,  create  a delay  between  login 
attempts.  Fifth,  lengthen  the  time  between  login  attempts  to  avoid  denial  of  service 
attacks.  Sixth,  create  a syslog  messages  for  the  ‘keylog’  characters  of  password 
attempts  The  Login  block  for  command  will  activate  advance  login  feature  a part  of 
the  IOS  login  enhancements  listing.  Also  type  in  login  quietmode  access-class  login 
delay  seconds,  login  onsuccess  log.  (TechTarget,  2008) 

The  terminal  has  advanced  editing  features  which  may  be  disabled  by  typing 
terminal  no  editing  at  only  the  USER  EXEC  or  privileged  EXEC.  This  will  allow  you 


to  do  editing  commands  via  word-to-word,  character-by-character,  or  at  the  beginner 
or  end  of  the  file.  CTRL-N  will  retrieve  recent  commands  for  reference.  (CCNA,  pg 
214,216,  2004) 

In  the  following  paragraph,  I am  going  to  explain  routing  metrics  including  path 
length,  reliability,  delay,  bandwidth,  load,  communication  cost.  Cisco  7609’s  path 
length  is  variable  with  MPLS  due  to  its  label  stack.  MPLS  has  a 20-bit  label  by 
default.  ATM  has  a 53-bit  path  length.  As  far  as  reliability,  Cisco  7609  MPLS  has  a 
recovery  network  more  advanced  than  protection  rings  of  SONET.  Also  with  CSPF 
routing,  the  shortest  path  can  be  dynamically  chosen  based  on  the  bandwidth.  The 
Cisco  7609  bandwidth  can  be  stopped  at  45  Mbits  with  Frame  relay  or  go  up  to 
multimode  fiber  optic  speeds  of  10  Gbit  with  MPLS.  MPLS  has  the  best  load  ratio, 
because  it  has  the  least  latency.  Communication  costs  will  go  down  as  MPLS  is  state- 
of-the-art  and  will  diminish  overbooking,  be  more  reliable,  and  has  higher  Mbits. 
People  license  frame  relay,  yet  they  won’t  apply  for  a new  license  when  it  expires. 
They’ll  go  to  the  newer  MPLS  to  save  money  in  the  long  run,  because  the  technology 
has  been  out  since  2001.  The  Cisco  7609  is  from  2003  so  it  should  be  available  used 
at  network  refurbishing  such  as  Sapia  Networks,  Genesis  Global,  and  Digital 
Warehouse.  (Wikipedia,  2009)  (Cisco,  2009)(Accessmylibrary,  2008) 

Router  components  include  ROM,  Flash  Memory,  NVRAM,  RAM,  and 
Interfaces.  The  ROM  has  the  bootstrap  program  that  has  basic  hardware  components. 
Software  is  downloaded  through  the  ROM  monitor.  The  Cisco  IOS  firmware  is  on 
flash  memory.  Non-volatile  RAM  won’t  be  erased  when  the  router  is  rebooted. 


RAM  in  a router  is  the  same  as  RAM  in  a PC.  Interfaces  of  the  Cisco  7609  include 
Frame  Relay  and  MPLS.  (CCNA,  pp  221-223,  2004) 
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In  this  paper,  I will  cover  security  precautions,  file  server,  printer  server  for 
Windows,  Macintosh  running  on  Linux.  Then  I will  do  the  DHCP  services.  I will 
draft  the  services  I plan  to  implement  for  this  server,  the  files  that  need  to  be 
configured  during  deployment. 

The  security  I will  need  to  do  this  will  be  putting  this  hardware  in  a server  closet.  I 
should  remove  floppy  and  DVD-ROMs  in  the  workstation  computers.  Go  into  the 
Award  Phoenix  bios  and  disable  the  USB  ports  so  that  it  is  impossible  to  boot  off 
them.  I should  add  a GRUB  password.  The  nohup  updateb  & command  by  itself  will 
keep  services  running  in  the  background  as  the  administrator  closes  the  terminal. 

With  the  Plymouth  installer  (replaced  RHGB  since  Fedora  9),  check  encrypt  with  file 
system  to  activate  encrypting  file  system.  I can  use  the  Sudo  command  to  kill 
processes  without  having  to  use  su  to  switch  to  root  account.  The  su  command  could 
compensate  security  of  your  server.  I should  reduce  the  number  of  network  services 
for  my  company  to  prevent  buffer  overruns.  The  nmap  -sT  server  1 command  will  list 
any  services  running  on  the  server.  You  can  detect  crackers  with  intrusion  detection 
system  (IDS)  programs,  including  Advanced  Intrusion  Detection  Environment, 
Integrity  Checking  Unity,  PortSentry,  Snort,  Linux  Intrusion  Detection  System,  and 
Simple  WATCHer.  AIDE  would  be  an  alternative  to  tripwire  with  added 
functionality.  ICU  will  work  with  AIDE  to  check  for  integrity.  PortSentry  monitors 
traffic  on  ports  to  see  if  it  has  been  probed.  LIDS  will  modify  the  Linux  kernel  to 
increase  process  and  file  security  so  the  system  would  detect  a breach.  Simple 
WATCHer  monitors  log  files  and  alerts  administrators.  Physical  securities  I will 
endorse  are  locked  doors  with  security  badge  access  to  the  server  room,  server  cages, 


and  electronic  access  control  for  every  room  that  is  IT  related.  For  encrypting  file 
system,  the  IT  department  needs  either  Truecrypt  or  EcryptFS.  If  Truecrypt  is  the 
decision,  then  Truecrypt  will  encode  an  encrypting  file  system.  On  the  other  hand, 
EncryptFS  will  store  metadata  of  each  file  if  there  is  no  hardware  encryption. 
EncryptFS  is  stackable.  Truecrypt  has  AES,  Serpent  and  Twofish  algorithms  with 
RIPEMD-160,  SHA-512  and  Whirlpool  hashes.  Finally,  I would  add  a Cisco  firewall 
up  to  it  and  add  CipherOpics  CyperEngine  for  the  router  so  all  outgoing  information 
is  encrypted.  (Linux+,  pg  674-676,  680-81,  2006)  (Truecrypt,  2009)  (EncryptFS, 
2009)  (Devx,  2008)  (routers,  2008)  (phoronix,  2008) 

For  firewall  services,  Fedora  10  has  a Red  Hat  firewall  application  under  the 
System  , Administration  in  the  upper  left  hand  corner  of  Gnome.  The  first  list  you 
see  is  called  trusted  services  and  you  check  the  proper  ones  like  IPP,  DNS,  Samba, 
Samba  Client,  The  next  list  is  trusted  miscellaneous  ports.  Don't  forget  to  set  Default 
configuration  to  Server,  because  desktop  is  highlighted  on  first  execution.  There  is  a 
ICMP  filter  in  Firewall  Configuration  to  send  error  messages.  You  can  create  a 
blacklist  in  it  easily.  Older  versions  of  Linux  have  IPtables  where  you  can  set  up 
which  IP  addresses  pass  thru  and  drop  the  rest  IF  the  administrator  wishes  to  have 
access  to  the  192.168.1.0  network.  He/she  needs  to  add  iptables  -f.  Next  line: 
Iptables  -P  FORWARD  Drop,  Third  line:  iptables  -a  FORWARD  -s 
192.168.1.0/24  -j  ACCEPT.  Now  that  network  is  accessed,  but  all  other  networks 
are  blocked.  (Linux+,  pg  672-673,  2006) 

For  the  print  server,  I would  use  common  UNIX  printing  system  (CUPS),  because 
it  is  newer  than  some  others  and  allows  a computer  to  act  as  a print  server.  Fedora 


uses  CUPS  as  default  print  system.  In  Gnome  it  is  managed  by  the  CUPS  manager 
and  taskbar  where  you  can  delete  print  jobs.  KDE  Print  is  a CUPS  front  end  too. 

To  create  a CUPS  server,  first  use  the  Lpstat  command  to  see  if  any  print  servers 
are  available  which  there  aren’t,  but  this  command  is  handy  if  there  are  print  servers 
available.  To  create  a print  job  use  lp  -d  printerl  /etc/inittab.  The  -d  will  specify  the 
distribution  printer. 


More  options 

Description(Linux+,  pg  477,  2006) 

of  lp 

-d 

Destination 

-I 

Specifies  the  ID  to  modify 

-n 

Number  of  pages 

-0 

Sides  - sets  if  it  should  be  two-sided  short  edge  or  two-sided 

long  edge 

-q 

Specifies  the  print  job  priority. 

More  options 

Description  (Linux+,  pg  478,  2006) 

of  lpstat 

-a 

Displays  a list  of  all  printers  that  are  accepting  jobs 

-d 

Displays  the  default  destination  printer 

-o  printer 

Displays  the  print  jobs  in  the  print  queue 

name 

-P 

Displays  a list  of  printers  that  are  enabled 

-r 

Shows  whether  the  cups  daemon  is  running 

-t 

Shows  all  information  about  printers  and  their  print  jobs 

Other  commands  are  cancel  followed  by  the  IDs  to  remove  jobs.  (Cancel  p 1 - 1 pl- 
2)  To  remove  all  jobs  there  is  the  -u  command.  I can  restrict  users  with  the  lpadmin 
command,  (lpadmin  -u  allow:root,  userl  -u  deny:all  -d  printer  1)  The  Lpr 
command  is  used  to  print  documents  to  the  queue.  The  lpq  is  to  view  the  print 
documents  in  progress.  The  lprm  command  is  to  remove  print  jobs.  (Linux+,  pp  474- 
478,  2006) 

If  you  need  an  user  interface,  there  is  the  Printer  Configuration  Tool  in  Linux.  Use 
it  to  browse  queues  of  CUPS  origin.  Secondly,  in  the  ‘Add  a queue  name’  dialog 
box,  add  the  name  of  the  printer  (printer  1)  and  short  description.  Thirdly,  click 
Forward  button  to  specify  the  queue  type  of  the  new  printer  and  the  administrator 
will  select  CUPS  (IPP)  from  the  drop  down  menu.  Fourthly,  use  raw  print  queue  (you 
can  try  postscript  later,  but  first  try  raw  print  queue  for  compatibility).  Click 
Finished.  Finally,  click  on  the  new  option  such  as  “Printer  1”  in  Printer  Configuration 
tool  and  when  sharing  properties  named  window  comes  up,  select  “This  queue  is 
available  to  all  other  computers”  in  the  Queue  tab.  Check  the  box  where  it  says 
Automatically  find  remote  shared  queues  in  the  General  Tab.  (Linux+,  pg  480-482, 
2006) 

To  allow  Windows  to  be  compatible  with  CUPS,  you  must  install  Adobe  driver 
from  their  website.  I will  be  using  the  Adobe  driver  for  this  paper.  To  use  the  CUPS 
driver,  go  to  Add  Printer  in  Control  Panel  and  select  Connect  to  a Printer  on  the 
Internet  option.  When  you  see  a textbox,  copy  and  paste  the  URL  of  printer  queue 
such  as  http ://hostname:/63 1 /printers/Printemame . Don’t  use  Generic  PostScript  Printer, 


but  browse  for  the  /etc/cups/ppd/PrinterQueneName.ppd.  To  add  Windows  support 
for  CUPS,  you  must  install  the  extracted  cups-windows-6.0- 1 .i3 86.rpm  driver  to 
the  /usr/share/cups/drivers  directory  and  cups-windows-6.0- 1 .x86-64.rpm  64-bit 
drivers  to  the  /usr/share/cups/drivers/  directory.  The  Windows  cups  can  be 
downloaded  off  of  http://www.cups.org/software.php.  All  Windows  machines 
Windows  2000  or  above  will  be  backwards-compatible  with  CUPs  post  script.  Apple 
had  CUPS  integrated  into  MAC  OS  10  since  2002.  (Owlfish,  2003)  (Linux+,  pg  478- 
483,  2006)  (CUPS,  2009) 

Linux  users  are  supposed  to  go  in  Printer  Configuration  box  and  select  the  Printer 
1 Queue  available.  In  Windows,  click  on  Add  Printer  in  Control  Panel  than  go  down 
to  option  “connect  to  a printer  on  the  Internet.”  Use  the  URL 

http  ://hostname : 63 1 /print ers/RawPrinterOuetename . When  completed,  the  administrator 
will  be  able  to  have  print  server  in  windows  from  a Linux  OS.  (Owlfish,  2003) 

To  connect  MAC  OS  10  to  a print  server,  first  select  the  Print  & Fax  pane  in  the 
System  Preferences.  Secondly,  in  MAC  OS  10.4,  it  is  only  a + icon,  but  in  MAC  OS 
10.3,  there  is  a Set  up  Printer  at  the  top  of  the  Window.  Thirdly,  IN  Mac  OS  10.3, 
click  the  IP  Printing  from  the  drop  down  menu  whereas  in  MAC  OS  10.4,  click  on  IP 
Printer  in  the  Print  Browser  window.  Fourthly,  both  MAC  OS  10.3  and  10.4,  select 
the  IPP  Option.  Fifthly,  type  in  the  hostname.  Sixth,  you’re  supposed  to  type  in  the 
Queue  field,  the  IP  address.  (RIT,  2006)  ( Danka , 2002) 

The  Samba  file  server  supports  Windows  and  MAC  OS  10.  Samba  file  server 
will  allow  Windows  users  to  drag  and  drop  files  on  a Linux  server.  Since  Fedora  8, 


Samba  is  packaged  with  the  OS.  First,  the  administrator  has  to  enable  network 
activity  to  the  SAMBA  server.  Enable  the  Ethernet  device  in  Network  Configuration 
Tool.  Secondly,  the  administrator  needs  to  update  firewall  settings  so  the  Samba 
server  is  trusted.  In  Fedora,  click  on  Security  level  in  System  Settings  or  “system- 
config-securitylevel”.  Aft  wards  select  the  Ethernet  card  so  it  is  a trusted  device. 
Thirdly,  configure  the  Service  Configuration  so  that  smb  is  enabled.  Fourthly,  logins 
should  be  configured.  To  do  this,  create  user  logins  using  the  Gnome  User  Manager 
too.  There  is  also  a shortcut  command,  system-config-users.  Add  users  as  you  need 
and  then  think  about  what  directories  you  will  need  to  access  in  the  SAMBA  server. 
Fifthly,  I will  need  to  configure  a SAMBA  server.  This  can  be  done  by  opening 
SAMBA  inside  Server  Settings.  This  will  make  changes  to  a file  called  smb.conf 
in  /etc/samba.  From  the  menu,  choose  Server  Settings  than  Samba.  When  the 
application  loads,  please  press  the  preference  menu  and  server  settings.  Use  the 
Windows  workgroup  name.  The  authentication  mode  should  be  user  if  the  logins  are 
Microsoft  ADS.  Sixthly,  you  must  add  users  to  it  with  the  Preference  menu  and  the 
Samba  user  item.  Eighth,  add  a shared  folder  by  clicking  on  the  add  button  using  the 
SAMBA  services  configuration  window  with  one  shared  directory.  Ninth,  the 
administrator  will  reboot  the  SAMBA  services  by  clicking  from  the  menu,  System 
Services,  Server  Settings,  and  then  Services  submenu  to  open  Service  Configuration 
window.  From  there  is  a restart  icon.  In  the  tenth  step,  the  administrator  will  be  in 
Windows.  This  can  be  accessed  by  the  Start  menu,  run  command.  Type  in 
Wlinuxserver.test.org  (plan  A)  or  W10.2.2.3  (the  ip  address  is  plan  B).  The  eleventh  step 
should  be  signing  in  with  one  of  the  names  created  in  SAMBA  in  the  Server  login 


Window.  Once  this  is  done,  there  should  be  a SAMBA  window  in  there. 

(reallylinux,  2006)  (Linux+,  pg  664  -665,  2006) 

To  connect  a MAC  OS  10  PC  to  a SAMBA  Linux  server,  the  user  needs  to  hit 
Apple  key  + K key  to  bring  up  a server  address  dialog  box.  Secondly,  the  user  will 
need  to  type  in  smb://10.2.2.3  in  the  textbox.  Third,  you  select  your  SMB  mount. 
Fourth,  the  user  will  add  the  Windows  Workgroup  name  which  doubles  as  Samba 
workgroup  name  in  the  first  box,  and  your  username  and  password  in  the  second  and 
third  textboxes.  To  disconnect  from  Samba,  you  should  press  CTRL+Click  (mouse) 
and  then  click  on  Eject  text  on  the  dropdown  menu  of  *directory  in  question*, 
(techrepublic,  2008)  (Linux+,  pg  664  -665,  2006) 

The  server  will  need  Apache  web  server  to  host  a web  site  listing  company 
information.  Apache  is  the  most  popular  web  server  in  the  world.  Apache  web  server 
has  been  included  with  Fedora  for  at  least  2 years  now  so  it  should  be  on  my 
Installation  DVD.  If  Apache  is  already  installed  I would  type  in  the  terminal,  rpm  -q 
httpd.  If  some  like  http-1. 7.1-7.2.fcl0  shows  up  in  the  terminal  than  Apache  is 
already  installed.  The  administrator  should  have  included  it  from  the  installation 
DVD,  but  if  for  some  reason  he/she  wants  the  latest  version,  I found  how  to  install 
and  configure  Apache  web  server.  In  the  terminal,  you  should  type  su  - install  http. 
Launch  to  see  the  status  of  the  Apache  web  server  type  su  - /sbin/service  httpd  status 
in  the  terminal.  To  start  Apache  when  the  system  boots  add  /sbin/chkconfig  -level  3 
httpd  on.  (howtoforge,  2008)  (Linux+,  pg  663,  2006)  ( Techotopia , 2007) 


Now  I am  about  to  configure  the  Apache  server  for  the  domain  name.  Open  up  a 


text  editor  such  as  Gedit  in  Linux  and  edit  the  httpd.conf  file  in  the  etc/httpd 
directory.  First  type  ServerAdmin  webmaster®, mvexample.com  with  serverAdmin  as 
your  real  name.  Next,  type  in  Servername  myexample.com  with  the  sewer  name  as 
the  real  name.  Afterwards  define  where  the  web  site  files  are  going  to  be  located  with 
the  documentroot  command.  An  example  would  be  DocumentRoot 
/var/www/myexample.com.  I would  create  a html  file  with  Open  Office  or  Gedit  and 
save  as  index.html  in  the  /var/www/Myexample.com  directory.  The  final  step  would 
be  restart  the  server  by  using  su  - /sbin/service  httpd  restart,  (howtoforge,  2008) 
(Linux+,  pg  663,  2006)  (Techotopia,  2007) 


Commands  for 
Apache 

Description  (Linux+,  pg  663,  2006) 

Listen  80 

Specifies  that  the  Apache  daemon  will  listen  to  HTTP  on  port 
80. 

Servername 
serverl. class. c 
om 

Specifies  that  the  name  of  the  local  server  is  serverl.class.com 

DocumentRoo 

t 

“/var/www/ht 

ml” 

Specifies  that  the  document  root  directory  is  /var/www/html 

Directoryindex 

Specifies  that  the  index.html  file  in  the  document  root 

index.html 

directory  will  be  sent  to  clients 

Errorlog 

Specifies  that  all  Apache  daemon  messages  will  be  written  to 

/var/log/httpd/ 

the  /va/log/httpd/error_log  file. 

errorlog 

MaxClients 

Sets  the  maximum  number  of  simultaneous  requests  to  150. 

150 

User  apache 

Specifies  that  the  Apache  daemon  will  run  as  a apache  local 

user  account 

Group  Apache 

Specifies  that  the  Apache  daemon  will  run  as  a apache  group 

user  account 

To  get  DHCP  operating  in  Fedora  10,  the  packages  should  already  be  on  the 
installation  DVD  and  otherwise  go  to  the  URL 

http://download.fedora.redhat.eom/pub/fedora/linux/releases/10/Evervthing/x86_64/o 
s/Packages/  and  search  for  DHCP-4. 0. 0-30. fc  10. x86_64.rpm  and  dhclient-4.0.0- 
30.fcl0.x86_64.rpm.  Secondly,  the  next  set  of  directions  is  if  for  any  reason  the 
DHCP  files  weren’t  installable  from  the  installation  DVD  or  that  version  is  too 
outdated.  Third,  you  type  $. /configure  $make.  Fourth  type  in  $ sudo  make  install  in 
the  terminal.  . Fifth,  once  the  DCHP  program  is  compiled  in  GCC,  now  I should 
type  in  sudo  cp  server/dhcp.conf  /etc.  Sixth,  you  must  configure  the  settings  to  match 
my  system  settings.  Seventh,  for  help  on  configuration  options,  type  in  man  dhep- 
options  in  the  terminal.  Eighth,  in  the  terminal  type  in  sudo  touch 
/var/lib/dhep/dhep. leases  to  get  your  configure  checked  for  human  errors.  Ninth,  the 
administrator  is  allowed  to  activate  DHCP  by  typing  in  the  terminal:  $ sudo 
chkconfig  —level  35  dhcpd  on.  Finally,  the  administrator  will  need  to  restart  the 


DHCP  by  typing  in  the  terminal:  $ /etc/init.d/dhcp  restart,  (askdavidtaylor,  2006) 
(Linux+,  pg  662,  2006) 

After  all  this,  the  server  and  workstations  should  be  secure  and  ready  to  go.  I did 
Windows,  MAC  OS  10,  and  Linux  to  the  Fedora  print  servers,  I logged  Windows, 
Linux,  and  MAC  OS  10  to  the  file  server. 


References 


Anonymous  (2009).  CUPS  Driver 

Retrieved  March  13,  2009 from  CUPs  website: 
http://www.cups.org/software.php 
Anonymous  (2009).  CUPS  Windows  plugin 

Retrieved  March  13,  2009 from  Adobe  website: 
http://www.adobe.com/support/down  loads/product.  isp?produet=44&platrorm=Windows 

Pfeifle,  K.  (2002,  March  02).  The  Unofficial  CUPS-on-Apple-Mac-OS-X FAQ 
Retrieved  March  13,  2009 from  Danka  website: 
http://www.danka.de/apple-cups-en/#SECTION00030 

Rias,  M (2006).  Configuring  Samba 

Retrieved  March  13,  2009 from  reallylinux  website: 
http://www.reallvlinux.com/docs/sambaserver.shtml 

Anonymous  (2007,  August  29).  Configuring  a Fedora  Linux  Based  Web  Server 
Retrieved  March  13,  2009  from  Techotopia  website: 
http://www.techotopia.com/index.php/Configuring  a Fedora  Linux  Based  Web  Server 

Anonymous  (2009).  How  to  Forge  - How  to  Set  up  Webday  with  Apache2  on  Fedora 
10 

Retrieved  March  13,  2009 from  HowtoForge  website: 
http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-fedora-10 

Taylor,  D.  (2006,  February  7).  How  do  I install  DHCP  on  my  Linux  Server 
Retrieved  March  13,  2009 from  askdavetaylor  website: 


http://www.askdavetavlor.com/how  do  i install  dhcp  on  my  linux  server.html 


Wallen,  J.  (2008,  February  28).  Flow  do  I install  DFICP  on  my  Linux  Server 
Retrieved  March  13,  2009 from  Techrepublic  website: 
http://blons.tcchrcpiiblic.coin.coin/opcnsourcc/7p~l  73 

Anonymous  (2009).  Connect  to  a printer  with  MAC  OS  10 
Retrieved  March  13,  2009  from  Techrepublic  website: 
http://www.rit.edu/its/services/desktop_support/mac/xprinterconnect.html 

Giorgetti,  R.  (2009,  October  3).  eCrvptfs:  Single-File  Encryption  in  Linux 
Retrieved  March  13,  2009 from  DevX  website: 
http://www.devx.coin/opensource/Article/39337 

Shupe,  G.  (2008,  February  28).  CipherOptics  Announces  Availability  of  CEP  10 
Retrieved  March  13,  2009 from  Reuters  website: 
http://www.reuters.com/article/pressRelease/idUS  154772+26-Feb-2008+BW20080226 

Anonymous  (2009).  CipherEngine 

Retrieved  March  13,  2009  from  CipherOptics  website: 
http://www.cipheroptics.com/products/cipherengine.html 

Larabell,  M.  (2008,  July  28).  Red  Hat  Replaces  RHGB  With  Plymouth 
Retrieved  March  13,  2009 from  Phoronix  website: 
http://www.phoronix.com/scan.php?page=news_item&px=NjU30A 

Eckert  J.W.,  Schitka,  J.M.  (2006).  The  Common  UNIX  Printing  System 
In  Linux+  Guide  to  Linux  Certification  (2nd  edition)  (pp.  476-479). 


Boston,  Mass:  Course  Technology.  Printed  in  Canada 
Eckert  J.  W,  Schitka,  J.M.  (2006).  Configuring  Printers 

In  Linux+  Guide  to  Linux  Certification  (2nd  edition)  (pp.  480-482). 
Boston,  Mass:  Course  Technology.  Printed  in  Canada 
Eckert  J.  W.,  Schitka,  J.M.  (2006).  Configuring  DHCP. 

In  Linux+  Guide  to  Linux  Certification  (2nd  edition)  (pg.  663). 
Boston,  Mass:  Course  Technology.  Printed  in  Canada 
Eckert  J.  W,  Schitka,  J.M.  (2006).  Configuring  Apache. 

In  Linux+  Guide  to  Linux  Certification  (2nd  edition)  (pg.  662). 
Boston,  Mass:  Course  Technology.  Printed  in  Canada 
Eckert  J.  W.,  Schitka,  J.M.  (2006).  Configuring  SAMBA. 

In  Linux+  Guide  to  Linux  Certification  (2nd  edition)  (pp.  664-665). 
Boston,  Mass:  Course  Technology.  Printed  in  Canada 
Eckert  J.  W,  Schitka,  J.M.  (2006).  Firewall  Services. 

In  Linux+  Guide  to  Linux  Certification  (2nd  edition)  (pp.  672-673). 
Boston,  Mass:  Course  Technology.  Printed  in  Canada 


Week  1 1 
Exchange  2007 
By  Ian 


December  18,  2009 


Jeff  Brown 


In  this  week,  I have  going  to  design  a network  for  7 hospitals  with  the  help  of  a 
PDF  file.  I will  tell  how  I am  going  to  design  the  environment.  Secondly,  I will  tell 
how  I'm  going  to  say  how  migration  vs.  fresh  install  is  going  to  work  on  this.  Thirdly, 
I am  going  to  tell  the  appropriate  bandwidth  for  the  environment  (migration  vs.  fresh 
installation).  Fourthly,  I am  going  to  estimate  the  correct  amount  of  bandwidth  to 
support  mail  services.  Fifthly,  I am  going  to  pronounce  how  much  storage  I need. 
Sixth,  I'll  explain  how  the  selected  processors  will  grow  with  the  company  and  how 
my  selection  emulates  futuristic  CPU-GPU  hybrid  processors  like  the  AMD  Fusion. 
Seventh,  I will  explain  the  security  mechanisms  I've  chosen  for  this  paper.  Eighth, 

I'm  going  to  tell  you  how  the  mail  groups  and  mail  addresses  are  going  to  be 
managed.  Ninth,  I am  going  to  tell  you  about  the  backup  strategy  like  the  Commvault 
Simpana  solution  I'm  proposing.  Tenth,  I will  tell  how  to  resurrect  a network  after  a 
catastrophe  has  struck  the  network.  Eleventh,  I will  explain  how  technicians  will 
allow  how  the  network  Internet  access  for  my  Exchange  for  outside  users.  Twelfth,  I 
will  explain  how  CRM1 14  is  better  than  Bayesian  for  spam  filters  and  Outlook  is 
already  supposed  to  have  CRM1 14  integrated  into  it. 

I had  help  from  the  PDF  on  how  I am  going  to  design  the  exchange  environment. 

I will  design  the  exchange  environment  by  having  a WAN,  because  I don't  know  the 
budget  of  the  hospital  and  am  gambling  it  is  higher  than  VPN.  The  operating  system 
on  the  domain  controllers  is  Server  2008  Service  Pack  2,  Exchange  2007  service 
pack  2 domain  and  are  at  each  site.  Then  I will  have  a pair  of  backup  domain 
controllers  at  each  site.  With  MRI  images  highly  compressed  already  and  data  is  sent 


once,  a WAN  would  see  zero  gain  according  to  the  PDF.  The  network  should  be 
using  CCR  with  Database  replication,  because  that  is  what  Exchange  2010  is  like.  If 
the  hospital  can  afford  what  a WAN  costs  than  a WAN  would  be  a better  option 
solely  to  do  with  the  bandwidth  available.  VPN  bandwidth  is  difficult  to  control  so 
even  though  less  expensive,  the  company  might  want  the  throughput  to  be 
uncompromised  and  not  kicked  off  like  a modem  would.  VPNs  are  great  at 
conserving  bandwidth  and  money  when  the  wire  isn't  needed,  (actionpacked,  2009) 
(Wikipedia,  2009) 

It  would  have  to  be  migration  unlike  workstations,  because  workstations  get 
information  from  the  server.  The  server  is  too  complex  to  start  from  scratch.  Fresh 
installations  for  Server  2008  and  Exchange  2007  is  only  good  for  small  businesses, 
because  the  labor  involved  and  time  spent  would  be  affordable.  (Exchange  Server 
2007  Implementation  and  Administration,  pg  170-212,  2008) 

I will  ensure  the  appropriate  amount  of  bandwidth  to  support  mail  services  by 
installing  RAM  according  to  how  many  mailboxes  there  are.  It  will  have  to  be  64-bit 
multi-core  CPUs  to  sustain  the  amount  of  RAM.  I recommend  a DDR3 
motherboard,  because  you  see  DDR3  RAM  at  Best  Buy  now.  DDR3  RAM  allows 
double  the  RAM  per  stick  than  DDR2  would.  I also  heard  that  gzip  or  bzip2 
compression  will  reduce  wire  bandwidth.  There  should  be  at  least  6 GB  DDR3  in 
there.  One-third  of  the  RAM  when  6 GB  is  running  the  OS  and  Exchange  and  this 
excludes  mailboxes.  Note  that  more  than  32  GB  of  RAM  for  Exchange  2007  won't 
have  any  effect  on  performance,  because  Moore's  Law  comes  into  play.  In  a similar 


situation  with  Radiology  departments  in  a previous  class,  I chosen  SONET  OC-2  as  a 
carrier  line  for  its  weather  friendliness  and  flexibility  in  installation  anywhere 
without  electromagnetic  interference.  SONET  OC-2  does  103  MBit/second.  The 
lower-end  SONET  technology  charges  the  same  as  similar  speeds  of  T-carrier  cable 
now-a-days.  SONET  has  some  redundancy  features  that  bring  networks  up  faster 
than  T-carrier  would.  I used  that  in  an  older  class  with  radiology  clinics  in  needing  a 
WAN.  (yourdictionary,  2009) 

When  it  comes  to  storage  the  servers  should  have,  I came  to  the  conclusion  that 
the  new  Ultra-640  SCSI  hard  drive  will  be  the  best  inexpensive  option;  therefore, 
wouldn't  work  for  hospitals.  SATA  drives  are  never  built  for  heavy  enterprise  type 
usage  and  that's  why  I go  with  the  SCSI  types.  That  is  why  I am  going  to  choose  8 
Gigabyte  fibre-channel  SCSI  (8GFC)  for  my  chosen  type.  8GFC  fibre-channel  is 
very  popular  in  2009.  It  will  be  the  fibre-channel  of  choice  in  2010.  4GFC  was  very 
popular  in  2003.  8GFC  came  out  in  2008.  There  is  a very  low  error  rate  with  fibre 
channel.  Fibre  channel  uses  98%  of  the  bandwidth  available  unlike  UTP.  It  uses  a 
fraction  of  CPU  resources  than  copper.  Due  to  the  fact,  you  don't  want  to  integrate  an 
obsolete  SCSI  into  networks  unless  it  is  very  small  network,  I would  try  fibre- 
channel  for  this  situation.  The  benefits  out  way  cost  and  the  company  can  grow  into 
it  for  8GFC.  According  to  the  book,  there  are  different  drives  for  space  requirements, 
drive  C for  operating  system,  page  file,  and  Exchange  binaries.  This  is  mirrored 
(RAID1)  at  72  GB.  Next  up  is  drive  D which  has  exchange  transaction  files, 
mirrored,  is  at  146  GB.  Third  up  is  drive  E,  which  does  exchange  database  and 
indexes,  does  RAID5  and  is  up  to  2.6  TB.  Fourth  up  is  drive  F,  which  does  LCR 


Exchange  transaction  logs,  mirrored,  and  is  at  146  GB.  The  last  and  fifth  drive  does 
LCR  Exchange  databases,  does  RAID5,  and  is  2.6  TB.  To  break  this  down,  you  need 
to  place  transaction  log  files  on  separate  physical  disks,  because  it  provides  better 
performance  mirrored.  I should  allow  up  to  10  days  worth  of  transaction  logs  which 
is  about  5 GB  per  day.  Next,  I should  allow  15%  white  space  in  the  maximum  size  of 
database  files.  I should  allow  the  same  15%  for  the  deleted  item  or  mailbox  retention 
space.  I should  place  replicated  transition  logs  with  a backup  copy  on  separate 
physical  disks  if  I was  using  local  continuous  replication.  I should  be  preemptive 
about  how  much  disk  space  I make  so  the  backup  copy  will  fit  on  the  available  space. 
To  be  able  to  defragment  the  hard  drive,  the  administrator  should  use  ESEutility.  The 
hard  drive  would  have  to  be  110%  of  the  required  backup  space  left  on  it.  I should 
allow  an  even  further  amount  of  disk  space  for  message  tracking,  message  transport, 
HTTP  protocol,  POP3  and  IMAP4  protocol  log  files.  For  future  mailbox  expansion 
needs,  there  is  always  deflate  compression.  Since  it  is  government  regulation  to  keep 
emails  for  years,  there  is  a better  way  to  move  it  to  a network  attached  storage  or 
optimal  storage  or  tape  storage.  (SearchwindowsServer,  2005)  (Exchange  Server 
2007  Implementation  and  Administration,  pg  170-212,  2008)  (Exchange  2007,  pg 
342-44,  2008)  (Exchange  2007,  pg  344,  345,  2008) 

The  quad-core  AMD  Opteron  and  at  least  6 GB  DDR3  should  be  enough  for 
Windows  Server  2008  plus  Exchange  2007.  When  DirectX  1 1 is  finally 
implemented  onto  Server  2008  to  enable  GPU  acceleration  than  it  would  help  to  put 
in  at  least  Radeon  HD  5770  for  800  stream  processors.  It  looks  like  you  can  run 
servers  without  DirectX  1 1 installed,  yet  this  is  cutting  edge  thoughts.  Future  AMD 


Fusion  CPUs  are  going  to  be  'GPGPU  CPUs'  with  features  from  both  GPUs  and 
CPUs.  The  Radeon  HD  5770  and  quad-core  Opteron  is  meant  to  emulate  a futuristic 
GPU-CPU  hybrid  processor  called  AMD  Fusion  which  is  RTM  in  Summer  2011. 
This  article  is  the  name  of  the  AMD  hybrid  processor  to  justify  somewhat  expensive 
DirectX  1 1 GPUs.  It's  a GPGPU  orientated  CPU.  The  AMD  Fusion  has  stream 
processors  on  the  CPU.  This  is  important,  because  the  AMD  slogan  is  "The  future  is 
Fusion"  and  this  would  help  me  to  give  what  the  company  needs  in  2009.  The  Blade 
Servers  ran  two  Cell  Broadband  Engines  so  I don't  see  why  I can't  say  CPU  + 

Radeon  HD  5770  in  my  paper.  (Wikipedia,  2009)  (brightsideofnews,  2009)  (AMD, 
2009) 

It  needs  to  have  CipherOptics  CipherEngine  encryption  over  the  wire  and 
RADIUS.  CipherOptics  Cipherengine  is  the  security  for  MPLS  networks.  MPLS 
itself  won't  have  good  security.  The  Cipherengine  is  also  has  on-the-fly  encryption. 
This  is  interesting  to  me,  because  MPLS  is  the  only  way  to  go  these  days.  L2TP  and 
ATM  and  PPP  are  obsolete.  Kerberos  v5  is  a must  have.  The  Active  Directory 
servers  need  SHA5 12+AES  encrypting  file  system.  SSL  for  financial  mail  systems. 
Then  I must  have  digital  certificates  so  it  can  tell  you  is  really  you  and  not  a email 
spoofing  reply  in  your  mailbox.  I'll  limit  quotas  to  250  KB  or  512  KB  depending  so 
that  nobody  can  use  large  attachments.  I'll  implement  Prohibit  Send  quota  and 
Receive  quota  in  mailboxes  are  present  to  prevent  DoS/DDoS  attacks.  As  far  as 
security  GPO  features,  which  wasn't  a part  of  the  outline,  I would  use  the  LimitLogin 
in  Active  Directory  to  limit  logins  per  user  on  a machine.  You  can  access  it  from  the 
Active  Directories  Users  and  Computers  MS  Management  Console  Snap-in.  The 


employee  needs  sessions  before  and  after  lunch,  and  a break  so  that  that  isn't.  There 
is  a GPO  under  ComputerConfiguration,  Windows  Settings,  Security  Settings, 
Account  Policies,  Account  Lockout  Policy.  The  settings  are  account  lockout 
duration,  account  lockout  threshold,  reset  account  lockout  counter  after.  I must  set 
account  lockout  threshold  to  6 tries  and  lockout  duration  for  0 minutes  so  it'll  lock 
until  administrator  unlocks  the  account.  I will  set  the  account  lockout  threshold  to 
invalid  login  attempts  and  have  the  counter  reset  after  30  minutes.  You  can  have  a 
honeypot  inside  a demilitarized  zone  that  connects  to  the  outside  world  through  port 
80  so  that  the  whole  network  can  see  port  80  stuff.  A stateful  firewall  is  the  most 
secure  firewall,  because  firmware  scans  the  ports.  Modem  firewalls  such  as  Cisco 
PIX  can  tell  DDoS  attack  and  the  IOS  firmware  can  stop  some  of  DDoS  attacks.  A 
PIX  firewall  in-between  the  LAN  and  demilitarized  zone  is  an  excellent  idea.  The 
PIX  firewall  can  disable  all  the  necessary  ports  to  filter  attacks.  I'd  have  an  extra 
firewall  in  case  the  hacker  likes  to  smurf  attack  or  ping  flood  or  syn  flood  or 
teardrops  attack.  Teardrops  crash  Windows  operating  systems.  A teardrop  is  IP 
fragment  with  overlapping  data.  I set  a hard  and  soft  quota  around  512  KB  so  that 
the  user  cannot  use  expansions  for  anything  other  than  Microsoft  Office  or  image 
formats.  I guess  for  Microsoft  Visio  format,  that  person  could  instead  use  7z 
volumes.  Some  employees  are  trouble,  and  the  ones  who  are  regularly  troublemakers 
as  far  as  policy  goes  need  to  be  searched  out  first  by  the  administrator,  it's  common 
sense.  Any  dangerous  email  content  needs  to  be  deleted  and  the  sender  blocked 
immediately.  I should  install  AVG  Internet  Security  for  its  decent  firewall  and 
antivirus,  anti-rootkit,  spyware  to  protect  against  malware,  crackers  and  spies.  Last 


thing  I would  do  is  remove  a mailbox  when  an  employee  leaves  so  he/she  can't  come 
for  revenge  and  gain  access  to  the  network  for  trade  secrets.  Other  GPO  objects  that 
should  be  disabled  are  USB  disks,  system  tray,  and  all  the  folders  unrelated  to  daily 
work  on  the  hard  drive,  and  auto  run  optimal  drive  features  . I will  lock  doors  too. 
(cipheroptics,  2009)  (Exchange  Server  2007  Implementation  and  Administration,  pg 
170-212,  2008) 

The  network  will  have  a subnet  with  IPv6  address.  The  administrator  will  find 
out  with  a subnet  calculator.  If  it  is  IPv4,  the  network  will  use  NAT  with  subnets.  For 
mail  addresses  and  mail  groups,  you'll  need  to  have  Active  Directory  installed  to 
support  "Auto  Discovery"  when  people  move  from  seat  to  seat.  I should  use  group 
policy  so  I can  control  abilities.  I should  enable  the  CTRL+ALT+DEL  login.  I 
should  have  Remote  Authentication  Dial  In  User  Service  and  Kerberos  5 login.  All 
commercial  emails  should  have  digital  certificates  and  SSL  encryption  now-a-days. 
There  should  be  a printer  spool  for  printing  so  there  can  be  a print  server.  There  is  a 
group  policy  that  I would  use  like  password  protect  screensaver  after  5 minutes  of 
use.  An  administrator  must  enable  gzip  for  Exchange  server  compression.  I would 
require  everybody  use  military- grade  12  character  passwords  with  3 upper,  3 lower,  3 
special  character,  and  3 numbers  to  be  changed  every  30  days  for  redundancy.  I 
should  have  between  3 - 5 groups.  I believe  the  Finance  group  should  be  separated 
from  the  rest,  because  financial  balances  shouldn't  be  anybody's  business.  Human 
resources  have  their  own  group,  and  administrators/IT  staff  have  their  own  group. 

The  fourth  group  could  be  sales  reps.  The  fifth  group  could  be  nurses  and  doctors.  I 
think  I'll  have  up  to  5000  members  to  group,  because  Microsoft  supports  up  to  that 


many.  The  Powershell  will  help  manage  the  addresses  and  groups.  . I need  to  know 
how  to  install,  upgrade  and  modify  GlobalAddressList  for  subsidiary.  You  would 
use  Exchange  Management  Shell  to  create  a GAL  with  the  New-GlobalAddressList 
cmdlet  in  Exchange  Management  shell.  Either  that  or  the  administrator  has  to  use 
Email  Address  Policy  tab  in  the  Exchange  Management  Shell.  (Exchange  Server 
2007,  pg  235,  236-239,  2008)  (thefreelibrary,  2009)(954network,  2009) 

The  administrator  can  add  users  and  delete  users  via  the  power  shell,  he  can  limit  the 
quota  with  the  Powershell  to  help  reduce  DoS  attacks.  There  is  also  the  Microsoft 
Management  Console  that  has  Active  Directory  snap-ins  if  you  prefer  the  GUI.  You 
can  also  add  or  delete  account  users  or  groups  with  the  Active  Directory 
Administrative  Groups  and  Accounts  Window.  (Microsoft,  2004)(MSexchange, 
2004)  (Exchange  Server  2007  Implementation  and  Administration,  pg  170-212, 
2008) 

Mailing  groups  I will  make  is  should  be  organized  according  to  profession 
including  sales  reps,  Human  resources,  technician  department,  administrators,  and 
VIP.  I think  I'll  have  up  to  5000  members  to  group,  because  Microsoft  supports  up  to 
that  many.  I don't  know  the  exact  amount,  but  I do  know  my  limit.  (Technet,  2009) 

The  backup  strategy  design  would  be  an  extra  domain  controller  that  was 
replicated  weekly  which  is  disconnected  if  the  whole  network  goes  down.  Server 
hard  drives  should  be  RAID-1  so  that  a mirrored  hard  drive  can  take  over  if  a server 
fails.  Then  I'll  have  a offsite  domain  controller  that  updates  periodically  (once  a 
week)  so  that  data  can  be  restored.  There  is  incremental  backup  strategies  from 


commercial  backup  software  so  I can  save  time,  because  its  only  files  that  have 
changed  daily,  then  I make  a differential  backup  every  other  week.  Commvault 
makes  an  excellent  backup  product  and  is  very  reliable  and  the  best  value  overall 
compared  to  other  Enterprise  software  feature  set.  Simpana  leads  the  industry  in 
backup  software.  (Commvault,  2009) 

I should  have  an  extra  domain  controller  so  you  can  wipe  the  other  hard  drives  out 
and  replicate  them  with  the  disconnected  domain  controller.  If  the  company  had  more 
money,  there  would  be  more  than  one  reserved  domain  controller.  It  would  make  the 
resurrection  a lot  faster  with  more  reserved  domain  controllers.  (Exchange  Server 
2007  Implementation  and  Administration,  pg  170-212,  2008) 

There  is  using  RPC  using  HTTP  packets  and  a SMTP  Connector.  Then  the 
administrator  sets  restrictions.  Go  into  the  Delivery  Restrictions  and  check  the 
authenticated  users  only  checkbox.  It  should  be  called  a Custom  Installation  Wizard 
in  Outlook  2007,  and  you're  supposed  to  use  Tools  menu,  Account  Settings.  Next 
click  on  the  Email  tab,  than  change.  Click  more  settings  than  Connection  tab.  I 
should  do  Exchange  Proxy  Settings.  I should  select  "On  a fast  network,  connect  to  a 
HTTP  first,  and  then  by  using  the  TCP/IP.  Click  Apply  button.  Through  the  Internet, 
a NTLM  Password  authentication  appears  in  the  web  browser  at  the  URL. 

(Microsoft,  2009)  (Exchange  Server  2007  Implementation  and  Administration,  pg 
170-212,  2008) 

Spam  will  prevent  all  the  spoofing  and  Phishing  in  email  spam,  and  you  don't 
have  to  spend  time  emptying  mailboxes.  Companies  lose  a lot  of  money  over  spam. 


For  example,  if  an  employee  gives  credit  card  numbers  over  which  banks  really  don't. 
There  is  different  levels  of  advanceness  in  Bayesian  spam  filtering  and  it  learns  as  it 
is  used  more.  Bayesian  is  supposed  to  catch  more  than  90%  of  the  spam.  There  is 
this  open  source  project  called  CRM114  that  is  supposed  to  have  a better 
effectiveness  than  any  Bayesian  filter.  CRM1 14  is  supposed  to  be  integrated  with 
Outlook  or  Eudora.  I would  rather  use  CRM1 14  than  Bayesian,  because  I know  it 
exists  now.  I should  educate  users  on  spam  and  not  reply,  because  it  is  a security 
breech,  (sourceforge,  2009) 

Ultimately,  I explained  how  I design  my  Exchange  environment.  I considered  the 
options  for  setting  up  the  environment.  Next,  I ensured  the  appropriate  amount  of 
bandwidth  supporting  mail  services.  I considered  fibre-channel  SCSI  as  the  type  of 
storage  I needed.  I selected  a server  that  can  handle  current  staff  and  is  also  future- 
proof.  I did  the  security  options  need  to  be  considered.  I told  how  the  addresses  and 
groups  are  managed.  I told  what  mailing  groups  I will  make.  I explained  the  backup 
strategy  I used  to  ensure  no  data  is  lost  regardless  of  how  long  it  was  in  the  system.  I 
explained  the  discovery  recovery  plan  to  manage  a total  failure  of  the  server.  I 
explained  how  users  can  receive  email  outside  of  the  system.  I included  a Spam 
feature  set  in  Exchange  2007. 
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Connected  to  each  other  via  SONET  OC-2  (103  Mbit)  multimode  fibre  and  multimode  patch  cable. 
1000  mailboxes  each.  Servers  have  room  to  grow. 


42  U 


Connects  to  the  other  6 
via  SONET  OC2 103 
Mbitmultimode  fibre 

42  U 


AMD  Opereon  64-bit 
6 GB  DDR3  RAM 
Radeon  HD  5770 
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Connected  to  each  other  via  SONET  OC-2  (103  MBit)  multimode  fibre  and  multimode  patch  cable. 
1000  mailboxes  each.  Servers  have  room  to  grow. 
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rack  E.  Rack  F 


Connected  to  each  other  via  SONET  OC-2  (103  MBit)  multimode  fibre  and  multimode  patch  cable. 
1000  mailboxes  each.  Servers  have  room  to  grow. 
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Mbitmultimode  fibre  Radeon  HD  5770 

Rack  G 


Connected  to  each  other  via  SONET  OC-2  (103  MBit)  multimode  fibre  and  multimode  patch  cable. 
1000  mailboxes  each.  Servers  have  room  to  grow. 
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Case  Project  11-1:  Windows  Restrictions  pg  522 
You  can  link  the  user  and  computer  objects  that  exist  in  the  container  to  which  they 
are  linked.  When  a GPO  is  linked  to  an  organizational  unit,  then  it  applies  to  all 
computers  and  users  in  the  domain.  If  it  were  linked  to  an  organizational  unit,  then  it 
would  apply  to  all  computers  and  users  in  that  organizational  unit.  Avoid  linking 
between  domains.  If  it  were  linked  to  an  organizational  unit,  then  it  would  apply  to 
all  computers  and  users  in  that  organizational  unit  and  child  organizational  units. 
(MCSE,  pg  470,  2006) 

Some  example  policies  an  administrator  should  do  is  have  the  netlogin  policy, 
because  then  he/she  is  restricted  from  accessing  when  the  network  connection  is 
disabled.  It  restricts  access  to  display  properties  even  if  the  policy  fde  is  deleted. 
With  the  transient  policy  setting,  registry  settings  applied  in  Group  Policy  are 
automatically  removed.  (MCSE,  pg  462,  2006) 

As  far  as  Administrator  templates  go,  the  administrator  needs  to  use  system,  adm, 
metres. adm,  Wmplayer.adm,  Conf.adm  and  Wuau.adm  to  restrict  access  to  the  PCs. 
System.adm  contains  variety  of  system  settings  and  desktop  restrictions.  Inetres.adm 
has  the  ability  to  set  and  restrict  access  to  settings  such  as  menu  item  and  proxy 
servers.  Wmplayer  will  restrict  access  to  Windows  Media  Player.  And  Wuau  will 
control  when  clients  receive  Windows  Updates.  (MCSE,  pg  463,  2006) 


Further,  I have  to  restrict  further  access  to  some  clients  machines  and  I can  do  this 
with  local  computer  policy  of  the  GPO.  They  need  to  be  applied  individually. 
(MCSE,  pg  464,  2006) 

Loopback  processing  mode  controls  how  user-based  Group  Policy  settings  are 
applied.  If  Loopback  Processing  mode  is  enabled  for  merge  mode  has  added  user 
configuration  settings  that  apply  to  the  user.  In  replace  mode,  it’ll  replace  the  GPO 
on  the  computer  w/o  looking  up  GPOs  that  apply  to  the  user’s  account.  That  is 
dangerous  to  management  so  I recommend  merge  option.  (MCSE,  pg  477,  2006) 

Another  policy  I would  give  is  use  security  permissions.  These  GPOs  I would  deny 
access  to  them,  and  all  users  have  these  except  Guests.  These  permissions  lock  down 
desktops.  The  administrator  should  apply  the  Read  permission,  but  deny  the  apply 
permission.  (MCSE,  pg  479-480) 

I can  control  applications  with  Windows  Management  Instrumentation  filter.  This  is 
a new  feature  since  WinXP.  It  plugsin  into  the  GPO  computer  configuration  and 
applies  to  3rd  party  applications.  (MCSE,  pg  482,  2006) 

I will  have  to  redirection  allows  me  to  change  the  location  to  a folder  on  a server. 
Group  Policy  is  used  to  redirect  the  folder.  The  NTFS  permissions  are  set  to  allow 
the  user  to  view  that  server  folder.  There  are  options  that  include 

1.  Redirect  to  Users  Home  directory. 

2.  Create  a folder  of  each  user  under  the  root  path. 


3. 


Redirect  to  the  following  location. 


4. 


Redirect  to  the  local  user  profile  location 


I pick  the  second  option,  because  the  Rasmussen  College  has  this  option  I 
believe.  (MCSE,  pp  486-487,  2006) 

There  is  also  Keberos  policy  for  connected  server  and  workstations  duration. 

Keberos  Options  include  'maximum  lifetime  for  user  ticket'  and  'maximum  tolerance 
for  computer  clock'  synchronization.  Options  include  'login  rights  such  as  who  can 
login  locally'  (interactive  login),  'which  users  or  groups  can  access  the  pc  from  a 
network'  There  is  a blacklist  for  the  opposite  effect  with  'deny  access  to  this  computer 
from  a network'  and  'deny  log  on  locally'  options.  There  is  also  a timer  for 
disconnected  sessions  in  the  GPO  Editor  which  has  options  including  Set  time  limit 
for  active  but  idle  Terminal  Services  session,  Set  time  limit  for  active  Terminal 
Services  sessions,  Set  time  limit  for  disconnected  sessions,  Set  time  limit  for  logoff 
of  RemoteApp  sessions,  and  finally  Terminate  session  when  time  limits  are  reached. 
(MCSE,  pg  495,  2006)  (Microsoft,  2008) 

There  must  be  a certificate  authority  for  Encrypting  File  System  as  in  form  of  a GPO. 
(MCSE,  pg  502,  2006) 

For  security  settings,  I pick  security  policy  as  well  as  public  key  policies  and 
software  restriction  policies.  I can  use  public  key  polices  to  restrict  control  the  way 
users  receive  certificates  via  authentication  and  encryption.  Software  restriction 
policies  are  self  explanatory.  The  security  PGOs  are  found  in  the  Computer 
Configuration  section  under  Windows  Settings,  Security  Settings  in  the  GPO  Editor. 
Account  Polices  needs  configuration  as  well  It  includes  Password  Policy,  Account 


Lockout  Policy,  and  Kerberos  Policy.  The  password  policy  includes  enforce 
password  history,  maximum  password  age,  minimum  password  age,  minimum 
password  length,  password  must  meet  complexity  requirements  and  store  passwords 
using  reversible  encryption.  Account  Lockout  Policy  has  password  lockout 
threshold  and  duration.  These  include  Account  lockout  threshold,  account  lockout 
duration,  and  reset  account  lockout  counter  after.  Finally,  Kerberos  Policy  contains 
configuration  settings  that  refer  to  the  Kerberos  ticket  grating  ticket.  Kerberos 
options  include  Enforce  user  logon  restrictions,  maximum  lifetime  for  service  ticket 
(default  10  hours),  maximum  lifetime  for  user  ticket  (default  10  hours),  Maximum 
lifetime  for  user  ticket  renewal  (default  7 days),  Maximum  tolerance  for  computer 
lock  synchronization.  I would  set  all  of  these  options  to  my  liking.  (MCSE,  pp  486- 
495, 2006) 

Another  GPO  policy  I would  do  has  to  be  about  auditing  people  in  the  meeting  room 
via  Audit  policy  in  Local  policies.  Any  accounts  designated  in  the  secure  systems 
organization  unit  would  audit  everything.  (MCSE,  pg  496,  2006) 

To  ensure  not  having  mischief  there  is  the  local  NTFS  permissions  and  you  can  deny 
access  to  the  hard  drive  in  case  user  finds  a way  to  bypass  the  deny  log  on  locally 
option.  It  is  applied  by  using  a security  template.  (MCSE,  pg  501,  2006) 

I can  assure  the  user  configuration  settings  apply  regardless  of  who  logs  on  by  “login 
rights”  and  there  are  10  of  them:  Access  this  computer  from  a network,  Allow  log  on 
locally,,  allow  log  on  through  terminal  services,  deny  access  to  this  computer  from 
the  network,  deny  log  on  as  a batch  job,  deny  log  on  as  a service,  deny  log  on  as  a 


service,  deny  log  on  locally,  deny  log  on  through  terminal  services,  log  on  a batch 
job,  and  log  on  a service.  I would  use  the  default  settings  on  these  options.  I would 
maybe  deny  access  to  this  computer  from  network  option  and  the  “deny  log  on 
locally”.  Maybe  the  administrator  wants  everyone  to  log  onto  the  network  and  not 
have  a local  account,  because  the  PC  doesn’t  serve  that  purpose  and  it  reduces 
trouble  and  mis-configuration  by  all  the  employees  who  don’t  have  the  credentials 
that  use  these  machines  daily.  (MCSE,  pg  497,  2006) 

Creating  a GPO 

1 . Start  your  server  and  log  on  using  Administrator  account  in  the  ChildXX 
domain  using  the  password. 

2.  Click  Start  and  then  click  Run.  In  the  Open  drop  down  list  box,  type  mine  and 
click  ok 

3.  Click  File  on  the  menu  bar  and  then  click  Add/Remove  Snap-in 

4.  Click  Add.  In  the  Add  Standalone  Snap-in  dialog  box,  click  Group  Policy 
Object  Editor,  and  then  click  add  button 

5.  In  the  Select  Group  dialog  box,  click  Browse 

6.  In  the  Browser  for  a Group  Policy  object  dialog  box,  click  the  All  tab  to 
display  a list  of  all  PGOs  that  currently  exist. 

7.  In  the  all  Group  Policy  Objects  stored  in  this  domain  section,  right-click  a 


blank  area  and  click  New 


8. 


Rename  the  new  GPO  using  the  name  Test  Policy  XX  and  press  Enter.  Click 


Okay  and  the  click  Finish. 

9.  Click  Close  on  the  add  Standalone  Snap-in  window,  and  click  OK  on  the 
Add/Remove  Snap-in  window.  You  can  now  edit  the  GPO  using  the  console 

10.  Close  the  MMC  window  without  saving  your  changes. 

1 1 . Log  off  the  server. 

(MCSE,  pg  466-467,  2006) 

Create  a GPO  using  Active  Directory 

1 . Log  onto  the  server  using  the  Administrator  account  in  the  ChildXX  domain 
using  the  password. 

2.  Click  Start,  select  Administrative  Tools,  and  click  Active  Directory  Users  and 
Computers. 

3.  Expand  the  childXX.supercorp.net  domain  of  the  forest  root  domain  for 
which  your  server  is  a domain  controller  in  the  left  three  plan. 

4.  Right  click  the  North  America  XX  organizational  unit  and  then  click 
Properties 

5.  Click  the  Group  Policy  tab 

6.  Click  Add.  The  add  a Group  Policy  Object  Link  window  open.  Click  the  All 


tab 


7.  In  the  All  Group  Policy  Objects  stored  in  this  domain  section.,  click  Test 
Policy  XX  and  then  click  OK.  Notice  that  the  GPO  named  Test  Policy  now  appears 
in  the  list  of  Current  Group  Policy  Object  Links  for  your  North  America 
Organizational  Unit 

8.  Click  New  button,  and  create  a new  GPO  named  Desktop  Security  Policy  XX 
and  press  Enter.  This  new  GPO  is  now  linked  to  your  North  America  organizational 
Unit. 

9.  Ensure  that  Desktop  Security  Policy  XX  is  selected  and  press  Edit. 

10.  In  the  left  tree  pane  under  the  User  Configuration  node,  click  the  + next  to 
Administrative  Templates  to  expand  contents,  and  then  click  Start  Menu  and  Taskbar 
container. 

1 1 . Double  click  Remove  Run  menu  from  Start  Menu  in  the  right  details  pane. 

12.  Close  the  Group  Policy  Object  Editor 

13.  Click  Close  in  the  Properties  dialog  box  of  your  North  America 
organizational  Unit 

(MCSE,  pp  468-469,  2006) 


Case  Project  11-3:  Equal  Rights 


Web  server  backup  and  restoration  administrator 


Some  local  policy  that  would  allow  a backup  operator  do  his  job  by  granting  him 
access  to  log  in  locally  under  that  login  right.  Then  the  backup  operator  has  a 
privilege  like  “Back  up  files  and  directory”  and  Restore  files  and  directory,  and  Shut 
down  the  system  when  he’s  done.  However,  a backup  operator  wouldn’t  have  the 
“Take  ownership  of  files  and  other  objects”  privilege. 

Other  ones  that  basic  administrators  have  are  access  this  computer  from  a network, 
allow  log  on  locally,  allow  log  on  through  terminal  services  and  have  the  add  work 
station  to  a domain,  shutdown  the  system  and  take  ownership  of  the  files  or  other 
objects. 

(MCSE,  pp  498-499,  2006) 

Active  Directory  security  administrator. 

The  content  of  the  SACL  is  controlled  by  security  administrators  for  the  local 
computer.  Security  administrators  are  users  who  have  been  assigned  the  Manage 
auditing  and  security  log  privilege.  By  default,  this  privilege  is  assigned  to  the  built- 
in  Administrators  group. 

Security  Admins  have  rights  which  are  access  this  computer  from  a network,  allow 
log  on  locally,  allow  log  on  through  terminal  services  and  have  the  add  work  station 
to  a domain,  add  workstations  to  a domain,  manage  auditing  and  security  log,  backup 
files  and  directories,  shut  down  the  system  and  take  ownership  of  the  files  or  other 
objects  . 


(MCSE,  pp  498-499,  2006) 
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